aspose file tools*
The moose likes Security and the fly likes Where to store the user credentials in an enterprise application(EAI) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Where to store the user credentials in an enterprise application(EAI)" Watch "Where to store the user credentials in an enterprise application(EAI)" New topic
Author

Where to store the user credentials in an enterprise application(EAI)

Arnav Velimala
Ranch Hand

Joined: Jun 04, 2007
Posts: 37
We are developing a Event Notification Service. The application at a high level looks like below:



Our developene scope involves widget and the ENS.

"ENS" acts as a central point of collection for certain types of events that are of interest to users. Any user who wants to know when these types of events occur registers with ENS, which identifies events in order and matches notifications with subscriptions.

The user who wants to subscibe should be a valid user of the intergrated application(db, sap system etc)

The sequence of events:



ENS are the web-services.

ENS polls the SAP(and other applications) and this is where the problem is becoming more complex. In SAP there is data-level authorization. So not all users are allowed to see all the events/data.

If the SAP has PUSHed the data, along with the User info who has authorized to see, then no issues at all.

Case 1: Scheduler is initiated by the ENS

1. User subscribes to a subscription. At the time of subscription, user is checked for his authorization in the SAP system. If OK, then he will be allowed for Subscription.
2. The scheduler runs at the scheduled time.
3. The scheduler identifies the users who are subscribed.
4. The scheduler uses the stored credentials of the users(stroed in ENS) to POLL if the event occured.
5. Notify users if there are changes.

Disadvs here:

* User credentials are stored somewhere external - Security team might not accept it
* Reduntant hits if more than one user is subscribed for the same piece of information

Case 2: Scheduler is intitated by the WIDGET. User creds will be stored in the users local machine only. Diadv:

* If the subscription is daily, and if the user system/widget is not up. The user might miss the notifications that happened on say, weekends.
* Reduntant hits to the server if more than one user is subscribed for the same piece of information.

my question/doubts:

What is the best pracitces in storing the Users db, sap etc credentials.

How often should the user be authenticated? Should be everytime the messages are delivered?(if I use this strategy, it will affect the source system)


Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2516
    
  10

I have moved this question to our Security forum.
Although it fits in several of our forums, this is the one where you can get the safest and most secure advise.


OCUP UML fundamental and ITIL foundation
youtube channel
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Where to store the user credentials in an enterprise application(EAI)